Managing storage capacity in version families having both writable and read-only data objects

ABSTRACT

A technique for managing storage space in a data storage system generates liability values on a per-family basis, with each family including files in the file system that are related to one another by snapping. Each family thus groups together files in the file system that generally share at least some blocks among one another based on snapshot activities. Distinct files that do not share blocks based on snapping are provided in separate families. The technique further generates worst-case storage liability of a version family by differentiating between writable data objects and read-only data objects, thus allowing administrators to provide spare storage and/or prepare for increases in storage requirements as writable data objects grow and differentiate.

CROSS-REFERENCE TO RELATED APPLICATIONS

The contents and teachings of U.S. application Ser. No. 15/197,064, filed Jun. 29, 2016, are incorporated by reference herein in their entity.

BACKGROUND

Data storage systems are arrangements of hardware and software that include one or more storage processors coupled to arrays of non-volatile storage devices, such as magnetic disk drives, electronic flash drives, and/or optical drives, for example. The storage processors service storage requests, arriving from host machines (“hosts”), which specify files or other data elements to be written, read, created, or deleted, for example. Software running on the storage processors manages incoming storage requests and performs various data processing tasks to organize and secure the data elements stored on the non-volatile storage devices.

Some data storage systems employ a liability/insurance model to track required storage space. For example, when a file system built upon a storage pool initiates an action that would change the amount of storage space required from the pool, the file system calculates a “liability.” The liability identifies an estimate of the amount of storage space required from the pool to complete the action. If the storage pool has enough available storage space to cover the liability, then the pool may issue “insurance” against the liability, e.g., by increasing the amount of reserved space in the pool by the specified amount of liability. The file system may then proceed to perform the initiated action, as the storage space required to complete the action has been fully insured.

SUMMARY

Data storage systems commonly calculate liability on a per-file-system basis, with the assumption that each file system includes a single file that stores a production version of a data object and multiple other files that store snaps of the production version. As is known, a “snap” is a point-in-time version of a file that initially shares all blocks with the file from which it is snapped. A “block” is a unit of storage space that a file system may allocate.

Calculating liability per-file system works well when each file system is limited to a single production object and its snaps. Unfortunately, the prior approach is less well-suited for calculating liability for file systems that include multiple production objects (implemented in files) and their respective snaps.

Incorporated U.S. application Ser. No. 15/197,064, filed Jun. 29, 2016, introduces an improved approach for measuring liability in file systems that store multiple primary objects and their respective snaps. A question left unanswered by the prior application, however, is how to determine worst-case liability in situations where writable data objects are allowed to be completely overwritten. For example, some use cases permit snaps, which are often viewed as ephemeral and even dispensable objects, to be treated instead as preserved objects entitled to space guarantees. A snap in such case could be generated, accessed as writable, and overwritten in its entirety, or nearly so. If this were to happen across many snaps in a file system or other container, storage requirements could increase markedly. Although storage space may be adequate to provide space guarantees for all objects at their current sizes, storage space may be insufficient to support many writable objects as they become larger, become more and more differentiated from one another, and share fewer blocks.

In cases where writable objects are both space-guaranteed and allowed to grow and differentiate, a need arises to predict a worst-case amount of liability required from a pool to support such objects. Along these lines, an improved technique for generating storage liability in a pool of a data storage system differentiates between writable data objects and read-only data objects and estimates storage liability differently for each. In this manner, the improved technique provides sufficient liability to support growth and differentiation of writable objects, while limiting liability for read-only objects.

Data storage systems may apply such predicted liability in a variety of ways, such as by providing spare storage capacity, which a data storage system may bring online as needed to support storage requests. Administrators may use this information to plan for system growth, or to actually increase system storage capacity (e.g., by adding disk drives) to meet or approach the predicted liability. Programs may use this information to estimate when a pool will fill, and may alert administrators as needs arise to add more storage.

Certain embodiments are directed to a method of managing storage space in a data storage system. The method includes storing, in a file system built upon a storage pool, multiple version families, each of the version families including a respective set of files that are related to one another by file snapping but that have no block-sharing relationships induced by file snapping with files in other version families. In response to receiving a command to perform an action that would affect storage requirements of one or more files in a version family, the method further includes generating a family liability value, the family liability value providing an estimate of storage space that would be required for the version family if the action were performed. The method still further includes executing the command to perform the action based at least in part on the storage pool having enough available storage space to guarantee an amount of storage at least as large as the family liability value. The version family includes a set of writable files each having a maximum logical size, and the method further includes generating a worst-case liability value for the version family, the worst-case liability value providing an estimate of an amount of storage space that would be required from the storage pool if all of the set of writable files in the version family were overwritten with new data and filled to their respective maximum logical sizes.

Other embodiments are directed to a data storage system constructed and arranged to perform a method of managing storage space, such as the method described above. Still other embodiments are directed to a computer program product. The computer program product stores instructions which, when executed on control circuitry of a data storage system, cause the control circuitry to perform a method of managing storage space, such as the method described above. Some embodiments involve activity that is performed at a single location, while other embodiments involve activity that is distributed over a computerized environment (e.g., over a network).

The foregoing summary is presented for illustrative purposes to assist the reader in readily grasping example features presented herein; however, the foregoing summary is not intended to set forth required elements or to limit embodiments hereof in any way. One should appreciate that the above-described features can be combined in any manner that makes technological sense, and that all such combinations are intended to be disclosed herein, regardless of whether such combinations are identified explicitly or not.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The foregoing and other features and advantages will be apparent from the following description of particular embodiments of the invention, as illustrated in the accompanying drawings, in which like reference characters refer to the same or similar parts throughout the different views. In the accompanying drawings,

FIG. 1 is a block diagram of an example environment in which embodiments of the improved technique hereof can be practiced;

FIG. 2 is a block diagram of an example file system of FIG. 1;

FIG. 3 is a block diagram of an example version family of FIG. 1, including example metadata structures;

FIG. 4 is a flowchart showing an example method for generating liability;

FIG. 5 is a flowchart showing an example method for managing storage space in a file system;

FIG. 6 is a flowchart showing an example method for generating worst-case family liability; and

FIG. 7 is a flowchart showing another example method for managing storage space in a file system.

DETAILED DESCRIPTION OF THE INVENTION

Embodiments of the invention will now be described. It is understood that such embodiments are provided by way of example to illustrate various features and principles of the invention, and that the invention hereof is broader than the specific example embodiments disclosed.

An improved technique for managing storage space in a data storage system generates worst-case storage liability of a version family by differentiating between writable data objects and read-only data objects and allows administrators to provide spare storage and/or prepare for increases in storage requirements as writable data objects grow and differentiate.

This detailed description is provided in the following sections:

Section I describes an example environment and technique for managing liability in data storage system on a per-version-family basis.

Section II describes particular improvements for predicting liability to account for growth potential of writable data objects.

Section I: Example Environment and Per-Version-Family Liability

FIG. 1 shows an example environment 100 in which embodiments of the improved technique hereof can be practiced. Here, multiple host computing devices 110 (“hosts”) access a data storage system 116 over a network 114. The data storage system 116 includes a storage processor, or “SP,” 120 and storage 180. The data storage system 116 may include multiple SPs like the SP 120 (e.g., a second SP, 120 a). In an example, multiple SPs may be provided as circuit board assemblies, or “blades,” which plug into a chassis that encloses and cools the SPs. The chassis has a backplane for interconnecting the SPs, and additional connections may be made among SPs using cables. No particular hardware configuration is required, however, as any number of SPs, including a single SP, may be provided and the SP 120 can be any type of computing device capable of processing host IOs.

In an example, the storage 180 includes multiple disk drives, such as magnetic disk drives, electronic flash drives, solid state drives, optical drives, and/or other types of drives. Such disk drives may be arranged in RAID (Redundant Array of Independent/Inexpensive Disks) groups, for example, or any other suitable fashion.

The network 114 may be any type of network or combination of networks, such as a storage area network (SAN), a local area network (LAN), a wide area network (WAN), the Internet, and/or some other type of network or combination of networks, for example. The hosts 110 may connect to the SP 120 using various technologies, such as Fibre Channel, iSCSI (internet SCSI—Small Computer System Interface), NFS (Network File System), and CIFS (Common Internet File System), for example. Any number of hosts 110 may be provided, using any of the above protocols, some subset thereof, or other protocols besides those shown. As is known, Fibre Channel and iSCSI are block-based protocols, whereas NFS, SMB 3.0, and CIFS are file-based protocols. The SP 120 is configured to receive IO requests 112 according to block-based and/or file-based protocols and to respond to such IO requests 112 by reading or writing the storage 180.

The SP 120 has one or more communication interfaces 122, a set of processing units 124, and memory 130. The communication interfaces 122 include, for example, SCSI target adapters and network interface adapters for converting electronic and/or optical signals received over the network 114 to electronic form for use by the SP 120. The set of processing units 124 includes one or more processing chips and/or assemblies. In a particular example, the set of processing units 124 includes numerous multi-core CPUs. The memory 130 includes both volatile memory, such as RAM (Random Access Memory), and non-volatile memory, such as ROM (Read Only Memory), disk drives, solid state drives, and the like. The set of processing units 124 and the memory 130 together form control circuitry, which is constructed and arranged to carry out various methods and functions as described herein. Also, the memory 130 includes a variety of software constructs realized in the form of executable instructions. When the executable instructions are run by the set of processing units 124, the set of processing units 124 are caused to carry out the operations of the software constructs. Although certain software constructs are specifically shown and described, it is understood that the memory 130 typically includes many other software constructs, which are not shown, such as an operating system, various applications, processes, and daemons.

As further shown in FIG. 1, the memory 130 “includes,” i.e., realizes by execution of software instructions, a file system 150, a file system manager 150 a, a sparse volume 160, a storage pool 170, and a pool manager 170 a. The file system manager 150 a manages operations of the file system 150, and the pool manager 170 a manages operations of the storage pool 170 a. Although a single file system 150 is shown, the data storage system 116 may include multiple file systems all sharing the same storage pool 170. Also, the data storage system 116 may include multiple storage pools, with each pool supporting its own respective file systems. The example shown is simplified and intended to be merely illustrative.

The storage pool 170 consumes the storage 180 (e.g., disk drives, solid state drives, etc.) and renders portions thereof in the form of extents 172. In a non-limiting example, extents 172 are fixed-size storage increments, such as 256 MB or 1 GB, which may be provisioned to file systems in the data storage system 116 for providing storage resources to those file systems.

The pool manager 170 a manages the provisioning of extents 172 from the pool 170 and performs accounting to manage insurance 174. For example, pool manager 170 a maintains a balance of reservations on storage extents 172 needed to cover all liability of any and all consumers of the storage pool 170, to ensure that space guarantees are maintained. In an example, the pool manager 170 a requires total insurance 174 always to meet or exceed total liability.

The file system 150 is built upon the sparse volume 160. In an example, each file system in the data storage system 116 has its own respective sparse volume. Provisioned extents 172 a have been provisioned from the storage pool 170 to satisfy storage requirements of file system 150. As the file system 150 grows and requires additional storage space, the file system 150 requests one or more additional extents 172 from the storage pool 170. Not all data objects in the file system 150 are necessarily fully space-guaranteed. Thus, there may be times when the file system 150 requests extents 172 for non-guaranteed objects but none are available without violating existing space guarantees.

As further shown in FIG. 1, the file system 150 includes multiple version families, VF1, VF2, etc., as well as an overhead family, OF. Each version family includes one or more files, which, where multiple files are provided, relate to one another by snapping. In some examples, one file in a version family may be a production file and the other files in that version family may be snaps (point-in-time versions) of that production file. In other examples, a version family may include multiple production files that each may have initially been snaps of some original file, which may or may not still be present. As the files in each version family are related by snapping, each of the files in a version family generally has block-sharing relationships with each of the other files in that version family. For example, each file in a version family typically shares at least one block (and often many blocks) with each of the other files in that version family. Version families generally do not share blocks with one another, however. Thus, a file in one version family has no block-sharing relationship with a file in any another version family.

In an example, the files within each version family provide file-based realizations of host-accessible data objects, such as LUNs, files systems, VVols (virtual machine disks, available from VMWare, Inc. of Palo Alto, Calif.), and/or other types of virtual machine disks, for example. Mapping (not shown) within the memory 130 translates the data in these files to corresponding data objects, which are then made accessible to hosts 110.

As is known, ‘snapping’ is a process whereby a file system creates a point-in-time version (snap) of a file by allocating a new inode (file-specific metadata structure) for the snap and copying attributes from the file's inode to the snap's inode. The copied attributes include one or more pointers to an indirect block tree of the file, which points to and arranges data blocks that store file data of the file. Creating a snap therefore allocates new metadata (the new inode) but no new data blocks. Rather, all data blocks of the file are initially shared with the snap. Over time, as the file evolves, write splits occur in which new data blocks are allocated to the file at written-to locations. The file's indirect block tree is updated to point to the newly-allocated blocks, with new indirect blocks allocated as needed. However, the snap's data blocks and indirect block tree remain unchanged. A consequence of a write split is that a data block of the file, which was previously shared with a snap, becomes “unique” (unshared). The block may become shared again later when another snap is taken, but such sharing will be between the file and the new snap, not with the previous snap.

Unlike the version families (e.g., VF1, VF2, etc.), the overhead family, OF, typically does not include files or snaps but rather metadata structures that are common to many or all version families. These may include, for example, inodes, per-block metadata, virtual block maps, metadata of the sparse volume 160, and/or other structures. The file system 150 may store many of these structures per metadata block, such that any one block may include metadata that applies to multiple version families. In alternative embodiments, metadata applying to different version families may be stored in respective sets of blocks, such that these sets of blocks may be included in the version families rather than in a separate overhead family.

In example operation, hosts 110 issue IO requests 112 to the data storage system 116. The SP 120 receives the IO requests 112 at the communication interfaces 122 and initiates further processing. Such processing may include, for example, performing reads and writes to files in version families of the file system 150.

At some point, the file system 150 receives a command 140 to perform an action that would affect storage requirements of one or more files in a version family. In various examples, the action specified by the command 140 may be to create or delete a data object in a version family, to create or delete a snap, or to convert a file in a version family from thin to thick, or vice versa. In some examples, the command 140 originates from outside the data storage system 116, e.g., from a host 110 or an administrative computer (not shown). In other examples, the command 140 originates from within the data storage system 116, e.g., from another software construct running on the SP 120, or even from within the file system manager 150 a itself, e.g., in response to the file system 150 requiring one or more additional storage extents 172 or being able to return one or more provisioned storage extents 172 a to the storage pool 170.

As is known, a “thick” file is a file that has a predetermined maximum size that is fully reserved. For example, the pool manager 170 a may provide 10 GB of insurance 174 to support a 10 GB thick file, even if the file only uses a fraction of that space. In contrast, a “thin” file is not fully reserved. Rather, reserved space for a thin file grows in response to the file being written-to, e.g., on demand in response to IO requests 112 from hosts 110. In an example, the file system 150 includes metadata that identifies a file as being either thin or thick, e.g., using an attribute of an inode of the file. Based on the setting of that attribute, the file system manager 150 a treats the file accordingly, e.g., by fully reserving space to accommodate a maximum predetermined size of the file if the file is designated as thick, and by not fully reserving such space if the file is designated as thin.

In response to receiving the command 140 that would affect storage requirements of a version family, the file system 150 generates a family liability value. The family liability value provides an estimate of storage space that would be required for that version family if the action were performed. For example, if the action specified by command 140 is to create a new thick object, the new object would require additional liability at least as large as the maximum predetermined size of that thick object.

In some examples, generating family liability involves determining space requirements for both file data and certain metadata (e.g., indirect blocks) specific to the version family. In further examples, overhead liability is also determined at this time, to account for metadata not specific to the particular version family but necessary to fully support the specified action.

Once family liability is generated (e.g., for data, for metadata, for both, and/or for the overhead family), the file system manager 150 a sends an insurance request 152 to the pool manager 170 a specifying the generated liability value or values. The pool manager 170 a then checks for available space in the storage pool 170, accounting for existing reservations indicated by insurance 174. The pool manager 170 a then issues an insurance reply 154. If the pool 170 has available storage space greater than or equal to the requested liability value(s), the insurance reply 154 grants the insurance request 152. The action specified by command 140 may then proceed. However, if the pool 170 does not have enough available storage to meet the request 152, the insurance request 152 is denied and the action specified by the command 140 does not proceed.

Data storage system 116 may generate new family liability values in response to newly arriving commands and may provide different family liability values for different families. Liability values are thus generated on a per-family basis. As will be described, generating liability in this way leverages relationships among family members and avoids greatly overestimating liability requirements in the file system 150.

FIG. 2 shows an example arrangement of file system 150 in additional detail. Here, it is seen that file system 150 has an address space 250, which ranges, for example, from zero to a large number. Each address in the address space 250 has an FSBN (File System Block Number) that uniquely identifies a respective block (see blocks 252). Some blocks 252 store file data while others store metadata. Some blocks 252 are shared among multiple files, whereas others are unique to a single file. Still other blocks 252 may be free, i.e., present within the address space 250 but not yet allocated to anything. Metadata stored in blocks within the file system address space 250 provide structure that defines files and version families in the file system 150.

FIG. 3 shows example metadata structures of file system 150. In an example, such metadata structures track information relevant to generating accurate family liability estimates.

As shown in FIG. 3, version family 310 includes multiple files, F1, F2, F3, and so on. Each file has an associated inode (index node), with inode 330 of file F2 shown in detail. Although the inode 330 relates particularly to file F2, it is intended to be representative of inodes of files in any version family.

Inode 330 stores attributes specific to the file F2, only some of which are shown. For example, inode number 332 uniquely identifies file F2 within the file system 150. Also, thin/thick attribute 334 specifies whether the file F2 is thin or thick. Read-only attribute 336 indicates whether the file F2 is read-only or writable. Some inode attributes are provided for both data and metadata (e.g., indirect blocks) of file F2, as described in the following table:

TABLE 1 Term Meaning for Data Meaning for Metadata blocksMapped 340a: Number of 340b: Number of indirect data blocks mapped blocks allocated to by the file; excludes support the file; holes; relevant for maintained in write IO thin files; maintained path; incremented for in write IO path; each indirect block incremented for each mapped. write to a hole. maxSize 342a: Predetermined 342b: Number of indirect maximum file size in blocks needed to support blocks; relevant for thick file at its maxSize thick files; (342a); calculated at file established at file creation. creation. blocksAllocated- 344a: Lower bound 344b: Lower bound on Uniquely on number of data number of indirect blocks blocks that are unique unique to file; maintained to this file; in write iO path; maintained in write incremented when writing IO path; incremented to shared indirect block or when writing to hole. shared block or hole.

The file system manager 150 a increments the attributes 344 a and 344 b for blocksAllocatedUniquely each time a write is performed to a shared block or a hole in the file. For example, writing to a hole (i.e., a previously unmapped location) causes a new block to be allocated, which therefore is initially unique. Also, writing to a shared block induces a write split, which causes a new block to be allocated. The new block is unique and thus is counted by blocksAllocatedUniquely. In an example, however, it is assumed that the write split in response to writing the source file does not cause the block to become unique in the shared file (the file with which the block was shared), as it is likely that the shared block was also shared with multiple other files, such that the write split would not cause the block to become unique in the other files.

The inode 330 further includes one or more block pointers, which point either to data blocks or to indirect blocks in the file system address space 250. For example, block pointer 346 points to an IB (Indirect Block) 350. Each block pointer includes a shared attribute 346 a, which indicates whether the block pointed-to by the block pointer 346 is shared or not, and an FSBN 346 b of the pointed-to block. Here, FSBN 346 b is the address of indirect block 350. A block pointer indicate a “hole” if its FSBN 346 b is blank, null, or otherwise invalid.

IB 350 includes an array of block pointers (e.g., 356 a, 356 b, 356 c, etc.), which may each be arranged identically to block pointer 346, for example. Each block pointer in the IB 350 may itself point to another IB or to a data block. IB's may thus be arranged in an IB tree 360, with leaf IBs of the IB tree 360 pointing to data blocks.

As further shown in FIG. 3, file system 150 includes version-family metadata for version family 310. Such version-family metadata includes blocksAllocated 320 a for data (D) and blocksAllocated 320 b for metadata (MD). The blocksAllocated 320 a for data maintains a count of all data blocks allocated to all files in the version family 310. Likewise, the blocksAllocated 320 b for metadata maintains a count of all indirect blocks (IB's) allocated to support all files in the version family 310. In an example, the metadata structures 320 a and 320 b are updated in an IO write path, with writes induced by IO requests 112 (FIG. 1) monitored to count each data block and indirect block allocated to the version family 310.

FIG. 4 shows an example method 400 for generating liability values in file system 150. The method 400 may typically be carried out by the file system manager 150 a, which runs in the memory 130 of SP 120.

Acts 410 and 420 generate first and second estimates (E1 and E2) for family liability, i.e., liability of a single version family. These acts may be performed in any order, or simultaneously.

Generating the estimate E1 at 410 involves producing a summation of maxSize (Table 1) over all thick files (1 to M) in the version family. Act 410 also involves producing a summation of blocksMapped (Table 1) over all thin files (1 to N) in the version family. The first estimate E1 is then provided as the sum of these summations. It can be seen from act 410 that the estimate E1 generates liability to fully reserve all thick files as well as all blocks mapped in all thin files. Estimate E1 may be an overestimate, however, as it fails to account for any blocks that may be shared. It should be appreciated that values for maxSize and blocksMapped may be obtained from the inodes of the files in question (see FIG. 3).

Generating the second estimate E2 at 420 involves adding the total blocks allocated in the version family, blocksAllocated, to a summation, over all thick files (1 to M) of the difference between the maximum predetermined size, maxSize, of each thick file and the number of blocksAllocatedUniquely in that thick file. The summation in 420 thus corresponds to the total number of shared blocks and holes in all thick files in the version family. Adding this summation to blocksAllocated yields estimate E2, which is often less than estimate E1, although not necessarily in all cases. It should be noted that maxSize and blocksAllocatedUniquely may be obtained from the inodes of the files in question, whereas blockAllocated may be obtained from version family metadata 320 a and/or 320 b. With estimates E1 and E2 established, act 430 generates family liability as the minimum of E1 and E2.

In an example, the acts 410, 420, and 430 are performed once for file data and again for file metadata (e.g., indirect blocks). For example, the file system manager 150 a may generate family liability for data using values of blocksAllocated (D) 320 a, blocksMapped 340 a, maxSize 342 a, and blocksAllocatedUniquely 344 a. Likewise, the file system manager 150 a may generate family liability for metadata using values of blocksAllocated (MD) 320 b, blocksMapped 340 b, maxSize 342 b, and blocksAllocatedUniquely 344 b.

In some examples, as shown in act 440, total family liability is generated as the sum of family liability for data and family liability for metadata. In other examples, family liability for data and metadata are kept separate.

At 450, the file system generates overhead liability for overhead family OF. In an example, the file system manager 150 a calculates overhead liability as a function of family liability for data and family liability for metadata.

With liability values for data, metadata, and overhead thus established, the file system manager 150 a may provide their sum in a single insurance request 152, for which a single insurance reply 154 is received (FIG. 1). Alternatively, the file system manager 150 a may provide separate insurance requests, one for data, one for metadata, and one for overhead, and receive respective insurance replies, or may provide insurance requests in any combination.

It should be appreciated that counting all shared blocks in all thick files, as is done by the summation for estimate E2, can help to reduce overestimates of liability, as it accounts for the fact that thick files may share blocks with one another and/or with thin files. Estimate E2 thus leverages block-sharing relationships among files within a version family, in a way that could not be achieved readily without arranging files in version families, as block-sharing relationships among files would be much more difficult to account for when estimating liability.

It should further be appreciated that estimate E2 reserves space for existing thin files (e.g., snaps) by counting all blocksAllocated in the version family. Thus, not only does estimate E2 insure that all thick files (any number of them) are fully reserved, but also that all snaps (and other thin files) are reserved, at least to the extent of their current sizes. With this arrangement, it should never be necessary to invalidate snaps to meet space guarantees of thick files, as the estimate E2 results in enough insurance to support the existing thin files.

Estimate E1 also avoids the need to invalidate snaps, as it counts all mapped blocks in thin files as well as the maximum sizes of all thick files. Thus, estimate E1 counts all blocks allocated to snaps, whether the snaps are thin or thick.

It may be noted that the mere act of creating a snap of a file will generally result in an increase in estimate E2. Taking a snap will cause all blocks in the file from which the snap is taken to become shared, thus reducing blocksAllocatedUniquely for that file to zero and increasing the overall estimate. In an example, liability is generated upon each lifecycle event of an object or snap, such that reserved space is kept current with version families as they evolve.

FIG. 5 shows an example method 500 for managing storage space in a data storage system. The method 500 may be carried out by the software constructs described in connection with FIG. 1. Also, the various acts of the method 500 may be ordered in any suitable way.

At 510, multiple version families (e.g., VF1, VF2, etc.; see FIG. 1) are stored in a file system 150 built upon a pool 170 of storage resources. Each version family includes a respective set of files (e.g., F1, F2, F3, etc.; see FIG. 2) that are related to one another by file snapping but that have no block-sharing relationships induced by file snapping with files in other version families.

At 520, in response to receiving a command 140 to perform an action that would affect storage requirements of one or more files in a version family, a family liability value is generated. The family liability value provides an estimate (see FIG. 4) of storage space that would be required for that version family if the action were performed.

At 530, an insurance-requesting operation is conducted. The insurance-requesting operation is configured to (i) grant insurance 154 to the version family when the pool 170 has enough available storage space to guarantee the family liability value (FIG. 4) and (ii) deny insurance to the version family when the pool 170 does not have enough available storage space to guarantee the family liability value.

At 540, the command 140 is executed to perform the action based at least in part on the insurance-requesting operation granting the insurance to the version family.

Section II: Predicting Liability to Account for Growth Potential of Writable Data Objects

Embodiments are now described in which data objects in version families can grow and differentiate over time, such that they may require additional liability. In an example, the embodiments disclosed in this section support use cases in which snaps are accessed as writable objects entitled to their own space guarantees.

Embodiments disclosed in this section build upon and incorporate embodiments disclosed in Section I. However, embodiments in this section are not limited to the particular details disclosed in Section I, except where such details are clearly required.

This section addresses a different question from the ones addressed in Section I. Embodiments of Section I address an amount of liability that should be requested of a pool for performing certain actions, such that those actions may only be carried out if the pool is able to ensure that liability. In contrast, embodiments of Section II address the issue of future growth, by considering what the effects would be if all writable files in a version family were allowed to grow to their maximum logical sizes and to differentiate from one another such that few if any blocks among the writable files are shared.

Although this disclosure uses the term “worst-case” in used herein to describe certain liability values, one should appreciate that the meaning of that term as used herein has a limited scope of application. In theory, a version family could grow to an infinite size, e.g., if new files are added or maximum limits are increased. However, as used herein the term “worst-case liability” assumes that no new files are added to a version set and that each file is maintained within its specified maximum size. It also assumes that no read-only files are changed to writable files. If changes such as these take place, new values of worst-case liability may be generated, which will then apply to the new configuration going forward, until another change in configuration is made.

As indicated in connection with FIG. 3 and Table 1, each file in a version set, whether that file is thin or thick, has the following attributes in its inode 330.

-   -   A blocksMapped attribute 340 a, which indicates a number of data         blocks actually mapped by the file. This attribute excludes         holes, i.e. logical addresses of the file that do not point to         any data. The file system 150 (FIG. 1) maintains blocksMapped as         a counter, which is incremented in the 10 path (i.e., in         response to IO requests 112) each time a block is written to a         hole in the respective file.     -   A maxSize attribute 342 a, which identifies a maximum logical         size of the respective file (e.g., a maximum number of blocks it         can contain). The maxSize of a file defines the file's logical         address space. Each logical address in the file is either mapped         (and thus counted in blocksMapped, above) or is a hole.     -   A blocksAllocatedUniquely attribute 342 a, which identifies a         lower bound on the number of data blocks that are unique to the         file. The file system 150 (FIG. 1) maintains         blocksAllocatedUniquely as a counter, which is incremented in         the 10 path (i.e., in response to IO requests 112) each time a         block is written to the respective file at a location (logical         address) that is either a currently-shared block or a hole.

The inode 330 also includes metadata versions of each of the attributes above, which are maintained as described in connection with Table 1 above.

The process for generating worst-case liability for a version family closely follows the process for generating family liability as described in connection with FIG. 4. For purposes of generating worst-case liability, however, we treat writable files as we treated thick files when generating family liability, and we treat read-only files as we treated thin files. This is not to say that writable files are always required to be thick, or that read-only files are always required to be thin. Rather, this statement is intended only to suggest that the processing and logic steps may be regarded as analogous.

FIG. 6 shows an example method 600 for generating liability values in file system 150. The method 600 may typically be carried out by the file system manager 150 a, which runs in the memory 130 of SP 120 (FIG. 1).

Acts 610 and 620 generate first and second approximations (A1 and A2) for worst-case family liability, i.e., liability of a single version family in the event that all writable files are filled to their maximum sizes and fully differentiated from one another. These acts may be performed in any order, or simultaneously.

Generating the approximation A1 at 610 involves producing a summation of maxSize (Table 1) over all writable files (1 to P) in the version family. In an example, writable files are those inodes 330 indicate writable status in read-only attribute 336. Act 610 also involves producing a summation of blocksMapped (Table 1) over all read-only files (1 to Q) in the version family, with read-only files also identified by respective attributes 336. The first approximation A1 is then provided as the sum of these summations. It can be seen from act 610 that the approximation A1 generates liability to fully reserve all writable files (up to their maximum logical sizes) as well as all blocks mapped in all read-only files. Approximation A1 may be an overestimate, however, as it fails to account for any blocks that may be shared. It should be appreciated that values for maxSize and blocksMapped in act 610 may be obtained from the inodes of the files in question (FIG. 3).

Generating the second approximation A2 at 620 involves adding the total blocks allocated in the version family, blocksAllocated, to a summation, taken over all writable files (1 to P) of the difference between the maximum logical size, maxSize, of each writable file and the number of blocksAllocatedUniquely in that writable file. The summation in 620 thus corresponds to the total number of shared blocks and holes in all writable files in the version family. Adding this summation to blocksAllocated yields approximation A2, which is often less than approximation A1, although not necessarily in all cases. It should be noted that maxSize and blocksAllocatedUniquely may be obtained from the inodes of the files in question, whereas blockAllocated may be obtained from version family metadata 320 a and/or 320 b. With approximations A1 and A2 established, act 630 generates worst-case family liability (WCFL) as the minimum of A1 and A2.

In an example, the acts 610, 620, and 630 are performed once for file data and again for file metadata (e.g., indirect blocks). For example, the file system manager 150 a may generate worst-case family liability for data (WCFL_(DATA)) using values of blocksAllocated (D) 320 a, blocksMapped 340 a, maxSize 342 a, and blocksAllocatedUniquely 344 a. Likewise, the file system manager 150 a may generate worst-case family liability for metadata (WCFL_(METADATA)) using values of blocksAllocated (MD) 320 b, blocksMapped 340 b, maxSize 342 b, and blocksAllocatedUniquely 344 b.

In some examples, as shown in act 640, worst-case total family liability (WCFL_(TOTAL)) is generated as the sum of WCFL_(DATA) and WCFL_(METADATA). In other examples, worst-case family liability for data and metadata are kept separate.

At 650, the file system generates overhead liability for overhead family OF. In an example, the file system manager 150 a calculates worst-case overhead liability as a function of worst-case family liability for data and worst-case family liability for metadata.

With liability values for data, metadata, and overhead thus established, the file system manager 150 a may provide their individual values and/or their sum to an administrative program, e.g., to inform an administrator about potential changes in storage requirements over time.

In addition to the above operations, the file system manager 150 a may aggregate values of worst-case liability in various ways. For example, file system manager 150 a may perform the above-described acts for each version family in the file system 150, and/or for all version families across all file systems built upon the pool 170, generating aggregate worst-case liability values, which may be even more useful when planning data storage system growth and resource allocation.

FIG. 7 shows an example method 700 for managing storage space in a data storage system. The method 700 may be carried out by the software constructs described in connection with FIG. 1. Also, the various acts of the method 700 may be ordered in any suitable way.

At 710, multiple version families (e.g., VF1, VF2, etc.; see FIG. 1) are stored in a file system 150 built upon a pool 170 of storage resources. Each version family includes a respective set of files (e.g., F1, F2, F3, etc.; see FIG. 2) that are related to one another by file snapping but that have no block-sharing relationships induced by file snapping with files in other version families.

At 720, in response to receiving a command 140 to perform an action that would affect storage requirements of one or more files in a version family, a family liability value is generated. The family liability value provides an estimate (see FIG. 4) of storage space that would be required for that version family if the action were performed.

At 730, the command 140 is executed to perform the action based at least in part on the storage pool 170 having enough available storage space to guarantee an amount of storage at least as large as the family liability value.

The version family includes a set of writable files each having a maximum logical size. At 740, a worst-case liability value (e.g., WCFL) is generated for the version family. The worst-case liability value provides an estimate of an amount of storage space that would be required from the storage pool 170 if all of the set of writable files in the version family were overwritten with new data and filled to their respective maximum logical sizes.

An improved technique has been described for generating a measure of worst-case storage liability in a pool 170 of a data storage system 116. The improved technique differentiates between writable data objects and read-only data objects and estimates storage liability differently for each. In this manner, the improved technique provides sufficient liability to support growth and differentiation of writable objects, while limiting liability for read-only objects.

Having described certain embodiments, numerous alternative embodiments or variations can be made. Further, although features are shown and described with reference to particular embodiments hereof, such features may be included and hereby are included in any of the disclosed embodiments and their variants. Thus, it is understood that features disclosed in connection with any embodiment are included as variants of any other embodiment.

Further still, the improvement or portions thereof may be embodied as a computer program product including one or more non-transient, computer-readable storage media, such as a magnetic disk, magnetic tape, compact disk, DVD, optical disk, flash drive, SD (Secure Digital) chip or device, Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA), and/or the like (shown by way of example as medium 550 in FIGS. 5 and 7). Any number of computer-readable media may be used. The media may be encoded with instructions which, when executed on one or more computers or other processors, perform the process or processes described herein. Such media may be considered articles of manufacture or machines, and may be transportable from one machine to another.

As used throughout this document, the words “comprising,” “including,” “containing,” and “having” are intended to set forth certain items, steps, elements, or aspects of something in an open-ended fashion. Also, as used herein and unless a specific statement is made to the contrary, the word “set” means one or more of something. This is the case regardless of whether the phrase “set of” is followed by a singular or plural object and regardless of whether it is conjugated with a singular or plural verb. Further, although ordinal expressions, such as “first,” “second,” “third,” and so on, may be used as adjectives herein, such ordinal expressions are used for identification purposes and, unless specifically indicated, are not intended to imply any ordering or sequence. Thus, for example, a “second” event may take place before or after a “first event,” or even if no first event ever occurs. In addition, an identification herein of a particular element, feature, or act as being a “first” such element, feature, or act should not be construed as requiring that there must also be a “second” or other such element, feature or act. Rather, the “first” item may be the only one. Although certain embodiments are disclosed herein, it is understood that these are provided by way of example only and that the invention is not limited to these particular embodiments.

Those skilled in the art will therefore understand that various changes in form and detail may be made to the embodiments disclosed herein without departing from the scope of the invention. 

What is claimed is:
 1. A method of managing storage space in a data storage system, the method comprising: storing, in a file system built upon a storage pool, multiple version families, each of the version families including a respective set of files that are related to one another by file snapping, as snap-induced descendants of a respective original file, but that have no block-sharing relationships induced by file snapping with files in other version families; in response to receiving a command to perform an action that would affect storage requirements of one or more files in a version family, generating a family liability value, the family liability value providing an estimate of storage space that would be required for the version family if the action were performed; and executing the command to perform the action based at least in part on the storage pool having enough available storage space to guarantee an amount of storage at least as large as the family liability value, wherein the version family includes a set of writable files each having a maximum logical size, and wherein the method further comprises generating a worst-case liability value for the version family, the worst-case liability value providing an estimate of an amount of storage space that would be required from the storage pool if all of the set of writable files in the version family were overwritten with new data and filled to their respective maximum logical sizes, and wherein providing the estimate of the amount of storage space that would be required from the storage pool if all of the set of writable files in the version family were overwritten with new data and filled to their respective maximum logical sizes is based on multiple block-sharing relationships in the version family being split, such that previously-shared blocks in the version family become differentiated and require additional storage space.
 2. The method of claim 1, further comprising: maintaining a blocksAllocated counter in the file system for the version family, the blocksAllocated counter maintaining a count of all data blocks allocated to all files in the version family; receiving, by the data storage system, an IO (Input/Output) request specifying data to be written to a particular file in the version family; and incrementing the blocksAllocated counter in response to the file system allocating a new data block for storing the data specified in the particular file in response to the IO request.
 3. The method of claim 2, wherein each file in the version family has a respective logical address space that includes a range of logical block addresses, each logical block address associated with either a mapped block or a hole, wherein the version family further includes a set of read-only files, and wherein the method further comprises: maintaining a blocksMapped counter for each of the set of read-only files in the version family, each blocksMapped counter indicating a separate count for each logical block address, in the respective file, that is associated with a mapped block.
 4. The method of claim 3, further comprising: generating a total of all maximum logical sizes (maxSize's) of files across all of the set of writable files in the version family; generating a total of all counts of blocksMapped counters across all of the set of read-only files in the version family; and generating a first approximation of worst-case liability as a sum of (i) the total of all counts of blocksMapped counter across all of the set of read-only files in the version family and (ii) the total of all maximum logical sizes (maxSize's) of files across all of the set of writable files in the version family.
 5. The method of claim 4, further comprising: maintaining a blocksAllocatedUniquely counter for each of the set of writable files in the version family, each blocksAllocatedUniquely counter maintaining, for the respective file, a count of all blocks written to logical block addresses associated with shared blocks and holes; receiving, by the data storage system, an IO (Input/Output) request specifying data to be written to a file in the set of writable files in the version family; and incrementing the blocksAllocatedUniquely counter maintained for that file in response to the file system directing data to be written to one of a shared block location or a hole location in that file in response to the IO request.
 6. The method of claim 5, further comprising: generating a writable block total based on a summation of differences between the maximum logical size (maxSize) of each of the set of writable files and counts of blocksAllocatedUniquely for each writable file, across all writable files in the version family; and generating a second approximation of worst-case liability as a difference between the writable block total and a value in the blocksAllocated counter.
 7. The method of claim 6, further comprising, generating a worst-case liability value for data in the version family as a lesser of the first approximation and the second approximation.
 8. The method of claim 7, further comprising: generating a worst-case liability value for metadata in the version family; generating a worst-case overhead liability based on the worst-case liability for data and metadata of the version family; and providing, as the worst-case liability for the version family, a sum of the worst-case liability for data, the worst-case liability for metadata, and the worst-case overhead liability.
 9. The method of claim 7, further comprising: repeating the act of generating the worst-case liability for all other version families in all file systems built upon the storage pool; generating a total worst-case liability for the storage pool as a whole as a sum of worst-case liabilities for all version families in all file systems built upon the storage pool; and reporting the total worst-case liability to an administrative program.
 10. A data storage system, comprising control circuitry that includes a set of processing units coupled to memory, the control circuitry constructed and arranged to: store, in a file system built upon a storage pool, multiple version families, each of the version families including a respective set of files that are related to one another by file snapping, as snap-induced descendants of a respective original file, but that have no block-sharing relationships induced by file snapping with files in other version families; in response to receiving a command to perform an action that would affect storage requirements of one or more files in a version family, generate a family liability value, the family liability value providing an estimate of storage space that would be required for the version family if the action were performed; and execute the command to perform the action based at least in part on the storage pool having enough available storage space to guarantee an amount of storage at least as large as the family liability value, wherein the version family includes a set of writable files each having a maximum logical size, and wherein the control circuitry is further constructed and arranged to generate a worst-case liability value for the version family, the worst-case liability value providing an estimate of an amount of storage space that would be required from the storage pool if all of the set of writable files in the version family were overwritten with new data and filled to their respective maximum logical sizes, and wherein the estimate of the amount of storage space that would be required from the storage pool if all of the set of writable files in the version family were overwritten with new data and filled to their respective maximum logical sizes is based on multiple block-sharing relationships in the version family being split, such that previously-shared block in the version family become differentiated and require additional storage space.
 11. A computer program product including a set of non-transitory, computer-readable media having instructions which, when executed by control circuitry of a data storage system, cause the control circuitry to perform a method for managing storage space in a data storage system, the method comprising: storing, in a file system built upon a storage pool, multiple version families, each of the version families including a respective set of files that are related to one another by file snapping, as snap-induced descendants of a respective original file, but that have no block-sharing relationships induced by file snapping with files in other version families; in response to receiving a command to perform an action that would affect storage requirements of one or more files in a version family, generating a family liability value, the family liability value providing an estimate of storage space that would be required for the version family if the action were performed; and executing the command to perform the action based at least in part on the storage pool having enough available storage space to guarantee an amount of storage at least as large as the family liability value, wherein the version family includes a set of writable files each having a maximum logical size, and wherein the method further comprises generating a worst-case liability value for the version family, the worst-case liability value providing an estimate of an amount of storage space that would be required from the storage pool if all of the set of writable files in the version family were overwritten with new data and filled to their respective maximum logical sizes, and wherein providing the estimate of the amount of storage space that would be required from the storage pool if all of the set of writable files in the version family were overwritten with new data and filled to their respective maximum logical sizes is based on multiple block-sharing relationships in the version family being split, such that previously-shared blocks in the version family become differentiated and require additional storage space.
 12. The computer program product of claim 11, wherein the method further comprises: maintaining a blocksAllocated counter in the file system for the version family, the blocksAllocated counter maintaining a count of all data blocks allocated to all files in the version family; receiving, by the data storage system, an IO (Input/Output) request specifying data to be written to a particular file in the version family; and incrementing the blocksAllocated counter in response to the file system allocating a new data block for storing the data specified in the particular file in response to the IO request.
 13. The computer program product of claim 12, wherein the method further comprises: maintaining a blocksAllocatedUniquely counter for each of the set of writable files in the version family, each blocksAllocatedUniquely counter maintaining, for the respective file, a count of all blocks written to logical block addresses associated with shared blocks and holes; receiving, by the data storage system, an IO (Input/Output) request specifying data to be written to a file in the set of writable files in the version family; and incrementing the blocksAllocatedUniquely counter maintained for that file in response to the file system directing data to be written to one of a shared block location or a hole location in that file in response to the IO request.
 14. The computer program product of claim 13, wherein the method further comprises: generating a writable block total based on a summation of differences between the maximum logical size (maxSize) of each of the set of writable files and counts of blocksAllocatedUniquely for each writable file, across all writable files in the version family; and generating an approximation of worst-case liability as a difference between the writable block total and a value in the blocksAllocated counter.
 15. The computer program product of claim 14, wherein each file in the version family has a respective logical address space that includes a range of logical block addresses, each logical block address associated with either a mapped block or a hole, wherein the version family further includes a set of read-only files, and wherein the method further comprises: maintaining a blocksMapped counter for each of the set of read-only files in the version family, each blocksMapped counter indicating a separate count for each logical block address, in the respective file, that is associated with a mapped block.
 16. The computer program product of claim 15, wherein the method further comprises: generating a total of all maximum logical sizes (maxSize's) of files across all of the set of writable files in the version family; generating a total of all counts of blocksMapped counters across all of the set of read-only files in the version family; and generating another approximation of worst-case liability as a sum of (i) the total of all counts of blocksMapped counter across all of the set of read-only files in the version family and (ii) the total of all maximum logical sizes (maxSize's) of files across all of the set of writable files in the version family.
 17. The computer program product of claim 16, wherein the method further comprises, generating a worst-case liability value for data in the version family as a lesser of the approximation and the other approximation.
 18. The computer program product of claim 17, wherein the method further comprises: generating a worst-case liability value for metadata in the version family; generating a worst-case overhead liability based on the worst-case liability for data and metadata of the version family; and providing, as the worst-case liability for the version family, a sum of the worst-case liability for data, the worst-case liability for metadata, and the worst-case overhead liability.
 19. The computer program product of claim 17, wherein the method further comprises: repeating the act of generating the worst-case liability for all other version families in all file systems built upon the storage pool; generating a total worst-case liability for the storage pool as a whole as a sum of worst-case liabilities for all version families in all file systems built upon the storage pool; and reporting the total worst-case liability to an administrative program. 